One other thing to be aware of is that your host that gets updated will be put into maintenance mode when VUM applies updates. So if you do not have DRS moving your VMs elsewhere when this happens, they will be powered off. So if you do no have DRS, you want to shut all VMs down manually (could shut down guest OS from vCenter) on the host in question first. I only use Essentials and have had to do that very thing to use VUM.

I cannot remember how often VMWare released patches, but you can set the administrative options for VUM to check for and download new patches, etc. on a schedule.

I've only really worked with VUM in a separate test environment than production but want to start using in full production one of these days. So to that point I have not had to rollback because something broke but know it is possible. Some people probably roll patches into a test environment first.

I do know that VUM will alert you if there is any patch or extension you have installed which is obsoleted by future patches you have downloaded but not applied. You could set your baseline to only scan for compliance against critical host patches that may be for security. Maybe you could make a different baseline for upgrades and not be as quick to apply them as the critical patches? Some environments have to make sure they are on the latest security payches for compliance reasons.